[webkit-dev] Do we need a "webkitBackground" property for XMLHttpRequest?

Adam Barth abarth at webkit.org
Tue Jul 24 02:58:00 PDT 2012

I don't think we should add this property.  Instead we should not ever
present HTTP auth dialogs for any requests other than the main
resource for the top-level frame.  Presenting HTTP auth dialogs in
other contexts is a phishing risk.


On Tue, Jul 24, 2012 at 2:47 AM, xuewen <xuewen.wang at torchmobile.com.cn> wrote:
> When we send XMLHttpRequest  to access search engines or it is sent from
> chrome extensions,  we may do/don't want the browser to show the
> authentication challenge dialog. Should we provide a property to give a
> choice to users such as the "webkitBackground"?
> Please see the bug https://bugs.webkit.org/show_bug.cgi?id=91964
> If we totally disable XHR popping up the challenge dialogs, then how can the
> user request the resource using XHR from the sites across origins and
> requiring authentications? Or will this operation be disallowed in the
> future?
> One way is to show a form by javascript to ask for the credentials in its
> "onReadyStatusChange" and resend it by XHR. Is this the reason to totally
> disable the XHR popping up challenge dialogs?
> Sean Wang

More information about the webkit-dev mailing list